Nmap is a powerful tool for network exploration and security auditing. It can be used for various tasks, such as host discovery, port scanning, OS detection, and vulnerability detection.
In this guide, we’ll do a simple penetration test to find vulnerabilties on our test network 192.168.0.1. We don’t have any IPS / Intrusion Prevention System setup so were free to run our tests without worrying about getting blocked.
Before we start, lets establish some areas we already know about our test network. We have a website hosted on 192.168.0.128 and a Domain Controller on 192.168.0.2; we won’t try and actively exploit the vulnerabilties we find but focus on the discovery aspect.
Before performing any penetration test, you should seek permission from the owners of any target networks or services
Install Nmap
If you haven’t already, the first step is to install Nmap on your computer. Nmap is available for Windows, Mac, and Linux operating systems, and you can download it from the official Nmap website.
On Ubuntu you can install nmap with:
sudo apt-get install nmap
Scan for Live Hosts
The first thing you want to do is to identify the live hosts on the network. This can be done by using the following command:
nmap -sn 192.168.0.0/24
This command will use the “ping” scan to send an ICMP echo request to every IP address in the 192.168.0.0/24 subnet. The “-sn” option specifies that we only want to do a host discovery scan without performing a port scan.
Running this on our test network we have found hosts alive on 192.168.0.128 and 192.168.0.2, the next step is to perform a port scan to identify open ports on each host.
Identify open ports and services
Now that we have our targets identified, the next step is to perform a port scan to identify the open ports on the targets we’ve just found
nmap -sS -p 1-65535 192.168.0.128
This command will use the TCP SYN scan method to identify open ports on the LAMP server. In this case port 80 (HTTP) and port 443 (HTTPS) are open
nmap -sS -p 1-65535 192.168.0.2
This command will use the TCP SYN scan method to identify open ports on the domain controller. Assuming that port 389 135/tcp (RPC), 389/tcp (LDAP), 445/tcp (SMB) and 3389/tcp (RDP) are open, the domain controller is likely using LDAP or LDAPS.
OS Detection
Once you have identified the open ports on each host, the next step is to perform OS detection to determine the operating system running on each host. This can be done by using the following command:
nmap -O 192.168.0.12
This command will attempt to identify the operating system running on the LAMP server. In this case, we found a Linux OS and it is most likely a LAMP stack
nmap -O 192.168.0.2
This command will attempt to identify the operating system running on our domain controller. In this case it is a Windows Server and most likely running Windows Domain Controller
Identifying Vulnerabilities
Once you have identified the operating system running on each host, the next step is to identify vulnerabilities that can be exploited by attackers. This can be done by using the following command:
nmap --script http-wordpress-enum.nse 192.168.0.128
This command will use the http-wordpress-enum script to identify vulnerabilities in the WordPress site running on the LAMP server. In this case we can see the following WordPress plugins installed which have some pending updates that should be installed:
- akismet 5.0.2
- contact-form-7 5.2.4
- wordpress-seo 19.6
- w3-total-cache 2.3.0
We can also see that a weak password has been detected ie. admin / admin
nmap --script ldap-search.nse -p 389,636 192.168.0.2
This command will use the ldap-search script to identify vulnerabilities in the LDAP or LDAPS service running on the domain controller. From our results, we can see that anonymous binding has been enabled. This means attackers can query the directory anonymously and retrieve sensitive information about user accounts, groups, and other objects in the directory that can be further exploited.
Findings / Remediation
Once, any penetration has been completed we need to document our findings and provide any necesary remediation. In our scan, we found:
- A LAMP server running a WordPress site was identified at IP address 192.168.0.128, with ports 80 and 443 open. There were several oudatted plugins installed that need to be updated and a password policy implemented
- A Windows domain controller was identified at IP address 192.168.0.2, with ports 389 and 636 open. The domain controller was found to be running LDAPS, which had anonymous binding enabled which should be disabled to prevent potential attackers querying the directory anonymously
Normally you should also format your findings in a nicely formatted report with all your recommendations / remediation steps, you can include an export of your results from nmap with the following
nmap -oX output.xml 192.168.0.0/24